Which of the following EAP authentication protocols requires both a client and a server digital certificate?
(Select the best answer.)
A.
LEAP
B.
PEAP
C.
EAP-FAST
D.
EAP-TLS
Explanation:
Extensible Authentication Protocol (EAP)Transport Layer Security (TLS) requires both a client and a server
digital certificate. EAPTLS is an authentication protocol that can be used for pointtopoint connections and for
both wired and wireless links. EAPTLS performs mutual authentication to secure the authentication process.
When EAPTLS is used, a digital certificate must be installed on the authentication server and each client that
must authenticate with the server. The digital certificate used on clients and the server must be obtained from
the same certificate authority (CA).
Protected EAP (PEAP) does not require that clients be configured with digital certificates. When EAPPEAP is
used, only servers are required to be configured with digital certificates. Clients can use alternative
authentication methods, such as onetime passwords (OTPs).
Lightweight EAP (LEAP) does not require either the server or the client to be configured with a digital certificate.When LEAP is used, the client initiates an authentication attempt with a Remote Authentication DialIn User
Service (RADIUS) server. The RADIUS server responds with a challenge response. If the challenge/response
process is successful, the client then validates that the RADIUS server is correct for the network. If the RADIUS
server is validated, the client will connect to the network.
Similar to LEAP, EAPFlexible Authentication via Secure Tunneling (FAST) does not require either the server or
the client to be configured with a digital certificate. When EAPFAST is used, Protected Access Credentials
(PACs) are used to authenticate users. The EAPFAST authentication process consists of three phases. The
first phase, which is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a
digital credential that is used for authentication. A PAC can be manually configured on a client, in which case
phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure tunnel
between the client and the server. The final phase, which is referred to as phase 2, involves authenticating the
client. If the client is authenticated, the client will be able to access the network.Cisco: EAPTLS Deployment Guide for Wireless LAN Networks: 5.2 Certificate Requirements